The website of the Indian Railways has been a subject of ridicule owing to the various security flaws that have been discovered in its website over the years. When it comes to protecting user data, the website has been lacking in many ways.

The website was previously hacked in 2016 when the details of over 1 crore users were leaked. Last year, Kanishk Sanjani, an ethical hacker had ordered food from the IRCTC website for Rs 7. This vulnerability remained unpatched for well over 7 months even after informing concerned authorities.

he popular windows file archival tool WinRAR has been in use for over two decades now. The software is used to view, create, pack and unpack archives in both ZIP and RAR formats. A recent report by The Register has revealed that the tool has a bug that has remained undetected since 2005.

The popular file archiving tool WinRAR has had a bug for at least 14 years that can be exploited to take over your PC.

The bug can pave the way for archive files that can trigger WinRAR to actually install whatever malware is secretly inside, according to the security firm Check Point, which discovered the software flaw.

"The exploit works by just extracting an archive, and puts over 500 million users at risk," the company said in a detailed report published on Wednesday.

If you are an avid user of password managers, you might just be in for a surprise. A recent study by researchers at the Independent Security Evaluators found that a number of popular password managers were storing master passwords as plain text within the main memory of devices.

To an expert hacker, this vulnerability is equivalent to getting the keys to multiple accounts as a text document on your computer. The master key of any password manager can be used to gain access to all usernames and passwords being managed by it.

Some kernel developers recently have been trying to work around the massive, horrifying, long-term security holes that have recently been discovered in Intel hardware. In the course of doing so, there were some interesting comments about coding practices.

Christoph Hellwig and Jesper Dangaard Brouer were working on mitigating some of the giant speed sacrifices needed to avoid Intel's gaping security holes. And, Christoph said that one such patch would increase the networking throughput from 7.5 million packets per second to 9.5 million—a 25% speedup.

To do this, the patch would check the kernel's "fast path" for any instances of dma_direct_ops and replace them with a simple direct call.

Linus Torvalds liked the code, but he noticed that Jesper and Christoph's code sometimes would perform certain tests before testing the fast path. But if the kernel actually were taking the fast path, those tests would not be needed. Linus said, "you made the fast case unnecessarily slow."

Initially planned to ship in early 2019, the revolutionary Librem 5 mobile phone was delayed for April 2019, but now it suffered just one more delay due to the CPU choices the development team had to make to deliver a stable and reliable device that won't heat up or discharge too quickly.

Purism had to choose between the i.MX8M Quad or the i.MX8M Mini processors for their Librem 5 Linux-powered smartphone, but after many trials and errors they decided to go with the i.MX8M Quad CPU as manufacturer NXP recently released a new software stack solving all previous power consumption and heating issues.

In the beginning, programs run on the in-kernel BPF virtual machine had no persistent internal state and no data that was shared with any other part of the system. The arrival of eBPF and, in particular, its maps functionality, has changed that situation, though, since a map can be shared between two or more BPF programs as well as with processes running in user space. That sharing naturally leads to concurrency problems, so the BPF developers have found themselves needing to add primitives to manage concurrency (the "exchange and add" or XADD instruction, for example). The next step is the addition of a spinlock mechanism to protect data structures, which has also led to some wider discussions on what the BPF memory model should look like.

A BPF map can be thought of as a sort of array or hash-table data structure. The actual data stored in a map can be of an arbitrary type, including structures. If a complex structure is read from a map while it is being modified, the result may be internally inconsistent, with surprising (and probably unwelcome) results. In an attempt to prevent such problems, Alexei Starovoitov introduced BPF spinlocks in mid-January; after a number of quick review cycles, version 7 of the patch set was applied on February 1. If all goes well, this feature will be included in the 5.1 kernel.

For just over the past year Intel open-source driver developers have been developing a new Gallium3D-based OpenGL driver for Linux systems as the eventual replacement to their long-standing "i965 classic" Mesa driver. The Intel developers are now confident enough in the state of this new driver dubbed Iris that they are looking to merge the driver into mainline Mesa proper.

The Iris Gallium3D driver has now matured enough that Kenneth Graunke, the Intel OTC developer who originally started Iris in late 2017, is looking to merge the driver into the mainline code-base of Mesa. The driver isn't yet complete but it's already in good enough shape that he's looking for it to be merged albeit marked experimental.

Collabora is headed to Nuremberg, Germany next week to take part in the 2019 edition of Embedded World, "the leading international fair for embedded systems". Following a successful first attendance in 2018, we are very much looking forward to our second visit! If you are planning on attending, please come say hello in Hall 4, booth 4-280!

This year, we will be showcasing a state-of-the-art infrastructure for end-to-end, embedded software production. From the birth of a software platform, to reproducible continuous builds, to automated testing on hardware, get a firsthand look at our platform building expertise and see how we use continuous integration to increase productivity and quality control in embedded Linux.

The Kernel Address Sanitizer (KASAN) that detects dynamic memory errors within the Linux kernel code has just picked up another win with uncovering a use-after-free vulnerability that's been around since the early Linux 2.6 kernels.

KASAN (along with the other sanitizers) have already proven quite valuable in spotting various coding mistakes hopefully before they are exploited in the real-world. The Kernel Address Sanitizer picked up another feather in its hat with being responsible for the CVE-2019-8912 discovery.

The io_uring mechanism that was described here in January has been through a number of revisions since then; those changes have generally been fixing implementation issues rather than changing the user-space API. In particular, this patch set seems to have received more than the usual amount of security-related review, which can only be a good thing. Security concerns became a bit of an obstacle for io_uring, though, when virtual filesystem (VFS) maintainer Al Viro threatened to veto the merging of the whole thing. It turns out that there were some reference-counting issues that required his unique experience to straighten out.
The VFS layer is a complicated beast; it must manage the complexities of the filesystem namespace in a way that provides the highest possible performance while maintaining security and correctness. Achieving that requires making use of almost all of the locking and concurrency-management mechanisms that the kernel offers, plus a couple more implemented internally. It is fair to say that the number of kernel developers who thoroughly understand how it works is extremely small; indeed, sometimes it seems like Viro is the only one with the full picture.

In keeping with time-honored kernel tradition, little of this complexity is documented, so when Viro gets a moment to write down how some of it works, it's worth paying attention. In a long "brain dump", Viro described how file reference counts are managed, how reference-count cycles can come about, and what the kernel does to break them. For those with the time to beat their brains against it for a while, Viro's explanation (along with a few corrections) is well worth reading. For the rest of us, a lighter version follows.

Today, the world has become heavily reliant on computers owing to the various advantages they offer. It has thus become imperative that we, as users, remain updated about the various threats that can compromise the security of our data and privacy.

A recent report published by Hackaday details a new threat that might just compromise the integrity of devices. At first glance, the O.MG cable (Offensive MG Kit) looks like any other USB cable available in the market. It is what lurks within that is a cause for concern.

WiFi Hides Inside a USB Cable [Ed: There are far worse things, like USB devices that send a high-voltage payload to burn your whole motherboard. Do not use/insert untrusted devices from dodgy people.]

Linux has a strong reputation for being the most secure operating system on the market. It’s been like that for many years, and it doesn’t seem like Windows or macOS are going to overtake it anytime soon. And while the operating system’s reputation is well-deserved, it can also be harmless experienced users.

The problem is that some seem to put too much trust in the capabilities of Linux by default. As a result, they often don’t pay enough attention to the manual aspect of their security. Linux can help you automate your workflow to a large extent, but it still requires a manual touch to keep things going well. This is even truer when it comes to security.

Unix systems (including Linux and Mac OS), by their very nature, have distinct challenges when it comes to security and administration. Because native Unix-based systems are not linked to one another, each server or OS instance requires its own source of authentication and authorization.

With countless job openings and growth with no end in sight, InfoSec is the place to be. Many pose the question, “Where do I start?” Over his years of training hackers and eventual security experts across a wide array of industries and occupations, the author ascertains that one of the biggest hurdles that many up-and-coming professional hackers face is the lack of a foundational knowledge or experience with Linux. In an effort to help new practitioners grow, he made the decision to pen a basic ‘How To’ manual, of sorts, to introduce foundational concepts, commands and tricks in order to provide instruction to ease their transition into the world of Linux. Out of this effort, “Linux Basics for Hackers” was born.

Data breach is becoming quite a nightmare for a lot of people with new breaches coming every now and then. In a recent data breach, millions of calls that were made by the Swedish residents have been exposed online. The Swedes were seeking medical advice through a national health telephone service in order to know more about symptoms and medications.

According to reports, about 2.7 million conversations amounting to more than 170,000 hours are available online. The data in the conversation is extremely private with people talking about their diseases, symptoms, illness, and giving out their social security numbers. This breach has left the Swedish authorities bewildered as they investigate the whole thing.

Data of the calls dates back to 2013 and is available for anyone to download and listen. Security expert Mikko Hypponen says that the audio calls were saved as Wav files. These files were left open on an unsecured server. This allowed any person to listen or download the 2.7 million conversations of the Swedish people. No encryption or authentication was required to crack the data making it easily available on the internet.

Recently, a NATO research group published a study on just how easy it is to target soldiers online and squeeze them for military intelligence. Posing as the enemy, the group was tasked with finding out as much as they could about an upcoming military exercise using nothing more than social media. Posting targeted Facebook ads as bait, they managed to lure dozens of soldiers into fake Facebook groups.

While impostor accounts squeezed them for info, other researchers simply used Facebook's "Suggest Friends" feature to get information on their entire units. Having their names and details, the group could track them over other social platforms and mine for dirt -- like how one soldier was happily married on Facebook, but single and ready to mingle on several dating apps.

Update: Internet of Dongs has produced its own supplementary assessments that delve into more nuance on these devices, they make a good case that Mozilla's criteria are too coarse to assess smart sex toys.

“At the end of the day, this can be serious,” Caltrider says. “These [devices] exist in the world, they're likely to be gifts, and so we wanted to get people to sit back and think, What are the privacy implications?”

The exposed data was brought to notice by a security expert who wants to remain anonymous. French security researcher Robert Baptiste who goes by the Twitter handle Elliot Alderson used a custom-built Python script to scrape this database and was able to customer data for 11,000 dealers. This data included the name and addresses of customers as well as their Aadhaar numbers. According to Baptiste, he was able to get details of 5.7 mn Indane customers before his script was blocked.

Middleware, both as a term and as a concept, has been around for decades. As a term, like other terms in the Darwinian world of IT jargon, it has followed a typical fashion lifecycle and is perhaps somewhat past its apogee of vogue. As a concept, however, middleware is more relevant than ever, and while a memetic new label hasn't quite displaced the traditional term, the capabilities themselves are still very much at the heart of enterprise application development.

Middleware is about making both developers and operators more productive. Analogous to standardized, widely-used, proven subassemblies in the manufacture of physical goods such as cars, middleware relieves developers from "reinventing the wheel" so that they can compose and innovate at higher levels of abstraction. For the staff responsible for operating applications in production, at scale, with high reliability and performance, the more such applications use standardized middleware components and services, the more efficient and reliable the running of the application can be.

Emails were sent last night to all users that may have been affected by recent [breaches], with a new password being mandatory, as it tries to avoid the "I'll do it later" attitude that means that often vulnerable passwords remain in use for months or years.

Mondelez’s claim represents just a fraction of the billions of dollars in collateral damage caused by NotPetya, a destructive, indiscriminate cyberattack of unprecedented scale, widely suspected to have been launched by Russia with the aim of hurting Ukraine and its business partners. A compromised piece of Ukrainian accounting software allowed NotPetya to spread rapidly around the world, disrupting business operations and causing permanent damage to property of Mondelez and many others. According to reports, Zurich apparently rejected Mondelez’s claim on the grounds that NotPetya was an act of war and, therefore, excluded from coverage under its policy agreement. If the question of whether and how war risk exemptions apply is left to the courts to decide on a case-by-case basis, this creates a profound source of uncertainty for policyholders about the coverage they obtain.

The U.S. government — along with a number of leading security companies — recently warned about a series of highly complex and widespread attacks that allowed suspected Iranian hackers to siphon huge volumes of email passwords and other sensitive data from multiple governments and private companies. But to date, the specifics of exactly how that attack went down and who was hit have remained shrouded in secrecy.

This post seeks to document the extent of those attacks, and traces the origins of this overwhelmingly successful cyber espionage campaign back to a cascading series of breaches at key Internet infrastructure providers.

With elections just three months away, Australian Prime Minister Scott Morrison announced on February 18 that the networks of the three major national political parties had been breached by what Australian security officials described as a "sophisticated state actor."

Attackers who infiltrated the Australian Parliament network and also the systems of the Liberal, National and Labor Parties appear to have used Web shells – scripts that can be uploaded to a Web server to enable remote administration of a machine.

Mozilla recently launched Firefox Monitor, a service that allows users to find out if their account has been been part of a data breach and has been compromised. Firefox Monitor provides data from the popular service Have I Been Pwned. Mozilla has been working hard day and night to improve the Firefox browser and as a part of security improvements, comes Firefox Monitors’s integration with the Firefox desktop browsers.

Back in November last year, Mozilla announced in a blog post that the Firefox Monitor service was being integrated with the Firefox desktop browser to warn users with a notification when visiting sites that were known to be involved in a data breach. The company said that the update was going to be rolled out to all Firefox users in the coming weeks. According to Techdows, as of February 18, 2019, all the Firefox desktop users have received the Firefox Monitor integration update.

Gnosticplayers has been on fire recently, having put 620 million accounts for sale and then followed it up by another 127 million accounts. The asking price for the first round of data hack was about $20,000 while for the second round it was around $14,500.

More in Tux Machines

today's leftovers

For those concerned that running Clear Linux means less available packages/bundles than the likes of Debian, Arch Linux, and Fedora with their immense collection of packaged software, Clear has a goal this year of increasing their upstream components available on the distribution by three times.
Intel Fellow Arjan van de Ven provided an update on their bundling state/changes for the distribution. In this update he shared that the Clear Linux team at Intel established a goal this year to have "three times more upstream components in the distro. That's a steep growth, and we want to do that with some basic direction and without reducing quality/etc. We have some folks figuring out what things are the most desired that we lack, so we can add those with most priority... but this is where again we more than welcome feedback."

You might think this annual poll would be fairly similar from year to year, from what distros we list to how people answer, but the results are wildly different from year to year.
(At the time of the creation of each poll, we pull the top 15 distributions according to DistroWatch over the past 12 months.)
Last year, the total votes tallied in at 15,574! And the winner was PCLinuxOS with Ubuntu a close second. Another interesting point is that in 2018, there were 950 votes for "other" and 122 comments compared to this year with only 367 votes for "other" and 69 comments.

Fedora operating system releases are (largely) time-based activity where a new base operating system (kernel, libraries, compilers) is built and tested against our Editions for functionality. This provides a new source for solutions to be built on. The base operating systems may continue to be maintained on the current 13 month life cycle — or services that extend that period may be provided in the future. A solution is never obligated to build against all currently maintained bases.

If you've lived through a major, natural disaster, you know that during the first few days you'll probably have to rely on a mental map, instead of using a smartphone as an extension of your brain. Where's the closest hospital with disaster care? What about shelters? Gas stations? And how many soft story buildings—with their propensity to collapse—will you have to zig-zag around to get there?
Trying to answer these questions after moving back to earthquake-prone San Francisco is why I started the Resiliency Maps project. The idea is to store information about assets, resources, and hazards in a given geographical area in a map that you can download and print out. The project contributes to and is powered by OpenStreetMap (OSM), and the project's entire toolkit is open source, ensuring that the maps will be available to anyone who wants to use them.

Drupal is the third most-widely used CMS behind WordPress and Joomla. With an estimated 3 percent to 4 percent of the world's billion-plus websites, that means Drupal runs tens of millions of sites. Critical flaws in any CMS are popular with hackers, because the vulnerabilities can be unleashed against large numbers of sites with a single, often-easy-to-write script.

Bradley Kuhn works for the Software Freedom Conservancy (SFC) and part of what that organization does is to think about the problems that software freedom may encounter in the future. SFC worries about what will happen with the four freedoms as things change in the world. One of those changes is already upon us: the Internet of Things (IoT) has become quite popular, but it has many dangers, he said. Copyleft can help; his talk is meant to show how.
It is still an open question in his mind whether the IoT is beneficial or not. But the "deep trouble" that we are in from IoT can be mitigated to some extent by copyleft licenses that are "regularly and fairly enforced". Copyleft is not the solution to all of the problems, all of the time—no idea, no matter how great, can be—but it can help with the dangers of IoT. That is what he hoped to convince attendees with his talk.
A joke that he had seen at least three times at the conference (and certainly before that as well) is that the "S" in IoT stands for security. As everyone knows by now, the IoT is not about security. He pointed to some recent incidents, including IoT baby monitors that were compromised by attackers in order to verbally threaten the parents. This is "scary stuff", he said.

Pat decided to update the Python 3 to version 3.7.2. This update from 3.6 to 3.7 broke binary compatibility and a lot of packages needed to be rebuilt in -current. But you all saw the ChangeLog.txt entry of course.
In my ‘ktown’ repository with Plasma5 packages, the same needed to happen. I have uploaded a set of recompiled packages already, so you can safely upgrade to the latest -current as long as you also upgrade to the latest ‘ktown’. Kudos to Pat for giving me advance warning so I could already start recompiling my own stuff before he uploaded his packages.

The KDE Community has just announced the wider integration of Matrix instant messaging into its communications infrastructure. There are instructions on the KDE Community Wiki as well.
So what’s the state of modern chat with KDE-FreeBSD?
The web client works pretty well in Falkon, the default browser in a KDE Plasma session on FreeBSD. I don’t like leaving browsers open for long periods of time, so I looked at the available desktop clients. Porting Quaternion to FreeBSD was dead simple. No compile warnings, nothing, just an hour of doing some boilerplate-ish things, figuring out which Qt components are needed, and doing a bunch of test builds. So that client is now available from official FreeBSD ports. The GTK-based client Fractal was already ported, so there’s choices available for native-desktop applications over the browser or Electron experience.

If you followed Kdenlive’s activity these last years, you know that we dedicated all our energy into a major code refactoring. During this period, which is not the most exciting since our first goal was to simply restore all the stable version’s features, we were extremely lucky to see new people joining the core team, and investing a lot of time in the project.
We are now considering to release the updated version in April, with KDE Applications 19.04. There are still a few rough edges and missing features (with many new ones added as well), but we think it now reached the point where it is possible to start working with it.

Preliminary Support Allows Linux KVM To Boot Xen HVM Guests

As one of the most interesting patch series sent over by an Oracle developer in quite a while at least on the virtualization front, a "request for comments" series was sent out on Wednesday that would enable the Linux Kernel-based Virtual Machine (KVM) to be able to boot Xen HVM guests.
The 39 patches touching surprisingly just over three thousand lines of code allow for Linux's KVM to run unmodified Xen HVM images as well as development/testing of Xen guests and Xen para-virtualized drivers. This approach is different from other efforts in the past of tighter Xen+KVM integration.

Servers: Kubernetes, SUSE Enterprise Storage and Microsoft/SAP

One of the questions I get asked quite often by people who are just starting or are simply not used to the “new” way things are done in IT is, “What is the cloud?” This, I think, is something you get many different answers to depending on who you ask. I like to think of it this way: The cloud is a grouping of resources (compute, storage, network) that are available to be used in a manner that makes them both highly available and scalable, either up or down, as needed. If I have an issue with a resource, I need to be able to replace that resource quickly — and this is where containers come in. They are lightweight, can be started quickly, and allow us to focus a container on a single job. Containers are also replaceable. If I have a DB container, for instance, there can’t be anything about it that makes it “special” so that when it is replaced, I do not lose operational capability.

As your data needs continue to expand, it’s important to have a storage solution that’s both scalable and easy to manage. That’s particularly true when you’re managing common gateway resources like iSCSI that provide interfaces to storage pools built in Ceph. In this white paper, you’ll see how to use the SUSE Enterprise Storage openATTIC management console to create RADOS block devices (RBDs), pools and iSCSI interfaces for use with Linux, Windows and VMware systems.